Is a Cyber incident something you want to self-insure and manage? Consider the story of one of our dental practice clients.
The Background. This practice is an ideal customer, i.e. insurance is an important resource for their business, they regularly consult with their agent, take recommendations to heart, and consider quality more important than price. The practice management system they use is well known by dentists. Their IT team is well-known and highly recommended in their area. The backup system they use is nationally known and one of the largest in the United States.
In other words, they were doing everything right, but… keep reading.
The Event. One day in December 2018, the office manager opened her workstation to find a nearly blank screen with a small window stating, “Your data is encrypted. There is nothing you can do. Do not try to recreate your files. Follow this link to have your data restored.” The link leads to an email address. After waiting 8 hours, a message like this appears: Send 4.5 bitcoins to this link and your data will be restored. For those of you wondering, 4.5 bitcoins is approximately $14,000 USD.
The dentists discussed their options with their IT professionals, the practice management system flew techs in, and the backup company was called. The backup company was not concerned because they were performing daily backups, and assured them that their data could be restored from the previous day’s backup. As a result, no bitcoins were sent to the data-nappers.
The Surprise. Unfortunately, it turned out that the backup company had not backed up the practice data for two weeks. Two weeks of patient charts, appointment changes, treatment plans, images, bookkeeping, and everything they needed to see patients that day and going forward. The practice was forced to send patients home and develop a plan to get back up and running.
The Damage. All workstations had to be wiped clean. Programs had to be reinstalled. Personal information was lost. Patients had to be notified, but how would the practice reach them if they didn’t have access to their contact information? Basically, the practice had to rebuild their computer system from scratch. They had to figure out how and what to bill or not bill, or if they had filed with insurance companies yet. They had to recreate treatment plans and try to determine where they left off with ongoing treatments. They had to dedicate two employees for several weeks to recreate files using what paper information was available.
There is no silver lining, nothing that reached out of the sky to assist the practice. They lost income and patients.
The Insurance. Their Business Owners Policy doesn’t have any cyber liability protection. Their Professional Liability has $50,000 reimbursement for limited cyber incidents. A claim has been filed and they will likely be reimbursed for some of the damages. They were offered stand-alone Cyber Liability Insurance, but never purchased a policy because they didn’t think they needed it, based on the proactive measures they were taking and assurances from their vendors.
A stand-alone Cyber Liability policy would likely have cost them $800-$1500/year and provided immediate access to a cyber coach to respond to the ransom, evaluate the restoration of their data, coordinate a plan, as well as pay to recreate data and files, send any required notifications to patients, loss of income, property damage, and engage public relations services to maintain the practice’s reputation.
The Hindsight. Know that this is happening to your peers, your patients/clients, and the places you do business. Understand that this can happen to you, and you need to protect yourself. Use a real-time, redundant backup system if possible, and regularly test your backup system. Protect your data. Make sure you’ve installed the latest updates, especially and security-related updates. Create a security and disaster recovery plan, and share that plan with your staff and vendors. Insure against cyber incidents.